Proxy-SSH and SSH tunnels Setup

Introduction

Before following the instructions on this twiki, make sure you have followed all of the instructions in of the "Accounts, Group Memberships, Certificates, Etc." of the CompOpsWorkflowNewOperatorSetup twiki.

This twiki contains instructions for creating ssh tunnels to the machines where instances of WMAgent are running. This is necessary in order to monitor the agents and in order to control the agents. Currently, there are four machines at CERN and three machines at FNAL that are running instances of WMAgent. This list of machines, however, is likely to change in the future: Wmagent Machines You should be able create ssh tunnels to all of them.

First, follow the instructions in the section called "Initial Setup Instructions". These instructions only need to be followed once.

Then, each time that you want to create a tunnel, follow the instructions in the sections called "Instructions for Ssh Tunnels Setup for CERN machines" and "Instructions for Ssh Tunnels Setup for FNAL machines"

Initial Setup Instructions

  1. Information about Kerberos and SSH:
  2. Install/Update your Kerberos configuration
  3. put the proxy-ssh script in the $PATH of your local machine
  4. make it executable
    • chmod 755 proxy-ssh
  5. put the config file in ~/.ssh/config of your local machine
  6. set up your user account name for CERN and FNAL
    • if your local user account name is different from your CERN afs account name:
      • for example, if your afs user name is gutsche:
      1. in ~/.ssh/config for CERN machines add User <CERN afs account name>;
        Host *.cern.ch
          GSSAPITrustDNS no
        
        to
        Host *.cern.ch
          User gutsche
          GSSAPITrustDNS no
        
      2. in proxy-ssh change the following line with your <CERN afs account name>:
        *.cern.ch )  ensure_ticket ${principal:-$USER@CERN.CH} ;;
        
        to
        *.cern.ch )  ensure_ticket ${principal:-gutsche@CERN.CH} ;;
        
  7. you are ready to continue to setup the SSH tunnels.
    • TIP: ask/research about configuring your .bashrc for aliases and shortcuts
    • TIP for MAC: link your Kerberos with Keychain Access (keychain access in Mac holds Kerberos passwords, and it is accessed with every kinit execution)

Instructions for SSH Tunnels Setup for CERN machines

Here we use the example of creating a tunnel to vocms85.cern.ch.

  • kinit -l 86400 your_cern_username@CERN.CH (note that "CERN and the "CH" must be in all capital letters)
    ssh vocms049.cern.ch
    
    or
    proxy-ssh vocms049.cern.ch
    

Instructions for SSH Tunnels Setup for FNAL machines

Here we use the example of creating a tunnel to cmssrv217.fnal.gov.

  • kinit -l 86400 your_fnal_username@FNAL.GOV (note that "FNAL" and the "GOV" must be in all capital letters)
    ssh cmslpc-sl6.fnal.gov
    ssh cmsdataops@cmssrv217.fnal.gov
    
    or
    proxy-ssh cmssrv217.fnal.gov
    

Revisions

JulianBadillo - 2015-03-25
Edit | Attach | Watch | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r12 - 2015-03-25 - JulianBadillo
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    CMSPublic All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback